Intel Reports

Activity Summary - Week Ending on 12 October 2023:

• Red Sky identified 9,099 connections from ‘new’ unique IP addresses
• Demenin[.]het in Ukraine hit 1,808
• 24 ‘new’ Botnets hits
• NPM
• JavaScript
• PyPI
• Kenya Being Hit Hard
• Africa
• Johnson Controls

Red Sky Alliance Compromised (C2) IP’s 

On 11 October 2023, Red Sky Alliance identified 9,099 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 11 October 2023, analysts identified 24 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Malicious Packages Hidden in NPM - Over the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM (Node Package Manager), the largest software registry for the JavaScript programming language.  These packages were found through a system dedicated to discover malicious open-source packages from various ecosystems e.g. PyPI, NPM.  In this segment, analysts will look at some of these packages, grouping them based on similar styles of code or functions.[1]  In general, most of these malicious packages use install scripts that run pre or post-install.  Whenever an NPM package is installed, those scripts are run as well.  An example of this is shown below.

Figure 1: package.json of @zola-helpers/client and @expue/core package

Every package found aims to steal sensitive data, such as system or user information, via a webhook or file-sharing link. Explore the sets of packages below.

The First Set:

• @expue/webpack (version 0.0.3-alpha.0)
• @expue/core (version 0.0.3-alpha.0)
• @expue/vue3-renderer (version 0.0.3-alpha.0)
• @fixedwidthtable/fixedwidthtable (version 0.0.2)
• @virtualsearchtable/virtualsearchtable (version 0.1.1)

Figure 2: Code snippet of index.js

This first set shows an obfuscated index.js script.  However, analysts can identify some clues in the strings that may raise suspicions.   Below is to simplify this code.

Figure 3: Code snippet of simplified index.js

After cleaning up the script, we can see it exfiltrates sensitive data, including Kubernetes configurations, SSH keys, and other critical information.  It also gathers basic system fingerprinting details, like username, IP address, and hostname, without any prior warning.

The Second Set:

• binarium-crm(versions 1.0.0, 1.0.9, 1.9.9)
• career-service-client-0.1.6(versions 0.1.6, 0.1.13, 0.1.15)
• hh-dep-monitoring(versions 0.1.5, 0.1.14)
• orbitplate(versions 1.0.4, 1.0.6)

Figure 4: Code snippets of index.js from the second set of packages

The index.js in this second set of packages sends an HTTP GET request to a specific URL, including query parameters.  It scans for particular files and directories that may contain sensitive information.  This script also enables the unauthorized extraction of critical developer data, including source code and configuration files.  The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials.  It then archives these files and directories and uploads the resulting archives to an FTP server.

The Third Set:

• @zola-helpers/client (versions 1.0.1, 1.0.2, 1.0.3)
• suncorp-styleguide-base (versions 1.0.3, 1.0.4, 1.0.5)

Figure 5: Code snippet of index.mjs from the third set of packages

In this set, the index.mjs install script uses a Discord webhook to exfiltrate sensitive data, such as system information, username, and folder contents.

The Fourth Set:

• @next-translate-root/i18n (versions 1.0.1, 1.0.2)
• @ag-grid-react/lib (version 1.0.1)
• @next-translate-root/locales (versions 1.0.0, 1.0.1, 1.0.2)

Figure 6: Code snippets of index.mjs from the fourth set of packages

As with the third set, this fourth set also uses an index.mjs install script and a Discord webhook to exfiltrate sensitive data.  But this time, they use an alternate style of coding.

The Fifth Set:

• @dtx-company/flowcode-generator-types (version 200000.0.2)

Figure 7: Code snippet of index.js

This fifth set uses an index.js install script to exfiltrate host and username info and home users’ home directory contents via a webhook.

The Sixth Set:

• squarespace-abtest (version 1.0.1)
• taml.clib (version 0.1.2)
• regily (version 1.0.0)  
• developer-scaffold-full-width-wrapper (versions 1.9.9, 21.0.9)
• @abb-americas/angular-utilities (version 1.0.0)
• @abb-americas/image-scaler (version 1.0.0)
• @abdulmz/mz-test (version 1.1.1)
• @ikea-aoa/component-financial-services (version 99.0.1)
• @ikea-aoa/component-lightbox (version 99.0.1)
• @ikea-aoa/component-popover (version 99.0.0)

Figure 8: Code snippet of index.js

This set—the most commonly found style—uses yet another index.js install script to exfiltrate information.

The Seventh Set:

• @cima/prism-utils (versions 23.2.1, 23.2.2)

Figure 9: Code snippet of installer.js from the seventh set of packages

In this set, the packages use an installer.js install script to carry out the attack, similar to the previous two, but we can see that the environment variable ‘NODE_TLS_REJECT_UNAUTHORIZED’ is set to ‘0’.  This disables TLS certificate validation, which may make the connection insecure and vulnerable to man-in-the-middle attacks.

The Eighth Set:

• jss (versions 1.4.9, 1.5.0, 1.6.4)
• saaaaaaaaaaaaaaaaaaaaaaa (version 1.4.1)

Figure 10: Code snippet of index.js from the eighth set of packages

This package automatically downloads and executes a potentially malicious executable file from a URL to a C:/ directory.

The Ninth Set:

• evernote-thrift (version 1.9.99)
• en-features-rollout (version 1.90.9)
• en-conduit-electron (version 1.90.9)
• en-conduit-electron-auth (version 1.90.9)
• en-conduit-electron-worker (version1.90.9)
• en-thrift-internal (version 2.30.9)
• en-conduit-electron-renderer (version 1.90.9)

Figure 11: Code snippet of index.js from the ninth set of packages

This package uses another script style to gather system information, including the victim’s public IP address and then exfiltrates this information to a discord webhook.

Conclusion - This report groups together a collection of malicious NPM packages that use install scripts to steal users’ sensitive info based on styles of code or functions.  End users should watch for packages that employ suspicious install scripts and exercise caution.  Fortinet analysts will continue hunting for and reporting malicious packages to help users avoid becoming victims.

IOCs

• @zola-helpers/client-1.0.1 index.mjs

MD5: e905c2915762e6c1fa57ff3b444411da

• @zola-helpers/client-1.0.2 index.mjs

MD5: 1e5a38b17453379af9107a9afce0963f

• @zola-helpers/client-1.0.3 index.mjs

MD5: c7325f2347833eba9869926226027330

• @next-translate-root/i18n-1.0.1 index.mjs

MD5: cb37bd25c3011ffdd10c0db976c77b45

• @next-translate-root/i18n-1.0.2 index.mjs

MD5: c4bf513d91909de6d8c8e28fe317950a

• suncorp-styleguide-base-1.0.3 index.mjs

MD5: 404c75ee8c8a2241e94773a5f46cd372

• suncorp-styleguide-base-1.0.4 index.mjs

MD5: 0b4da6e4a3d7f0d43afc1ce5a567aeed

• suncorp-styleguide-base-1.0.5 index.mjs

MD5: fbf108d9534e2a065ba62198d7ab226c

• @ag-grid-react/lib-1.0.1 index.mjs

MD5: 42d7f4f9e4d837c5f1217165e92d0136

• @next-translate-root/locales-1.0.0 index.mjs

MD5: 312368807bee4e8876acec4dba528f13

• @next-translate-root/locales-1.0.1 index.mjs

MD5: cb37bd25c3011ffdd10c0db976c77b45

• @next-translate-root/locales-1.0.2 index.mjs

MD5: c4bf513d91909de6d8c8e28fe317950a

• @dtx-company/flowcode-generator-types-200000.0.2 index.js

MD5: 1b80da13c2d440b51de3e3b1f84b30b6

• squarespace-abtest-1.0.1 index.js

MD5: 0976fc4401a315d8182828d07b0e4a02

• taml.clib-0.1.2 index.js

MD5: 489af9e516d133f8341bc50068b3a505

• regily-1.0.0 index.js

MD5: 8333f68439addfe5d80d7cf8646d74f6

• developer-scaffold-full-width-wrapper-1.9.9 index.js

MD5: c627ce5ec695ea663b88a09fb31ea319

• developer-scaffold-full-width-wrapper-21.0.9 index.js

MD5: 563cf757e5f61a592f53506c81360e4a

• @abb-americas/angular-utilities-1.0.0js

MD5: 2965d88976fee79d1e3ef69e5edc5d83

• @abb-americas/image-scaler-1.0.0js

MD5: 0876c5969dc829f2f56b455ae38a2536

• @abdulmz/mz-test-1.1.1js

MD5: ecd47a29a7e5132f94b1c7c0689e2e5a

• @ikea-aoa/component-financial-services-99.0.1js

MD5: 025809495e179b4f7ef0db8af88381e7

• @ikea-aoa/component-lightbox-99.0.1js

MD5: 025809495e179b4f7ef0db8af88381e7

• @ikea-aoa/component-popover-99.0.0js

MD5: 025809495e179b4f7ef0db8af88381e7

• @cima/prism-utils-23.2.1 installer.js

MD5: 42d84beccb38c08700920b70549f5a87

• @cima/prism-utils-23.2.2 installer.js

MD5: 25de187869441c3aa506ddc5fe6839ea

• jss-1.4.9 index.js

MD5: dc60d3e82ff0273309a2a9e1b7f89ea3

• jss-1.5.0 index.js

MD5: 740eca0a347fe0d0aa8ca8ec4ebf2dd2

• jss-1.6.4 index.js

MD5: 5182a61ee33247e2a426c4ddfe8196dc

• saaaaaaaaaaaaaaaaaaaaaaa-1.4.2 index.js

MD5: 8458b6a4196e5d86e241c758ce89d1e5

• evernote-thrift-1.9.99 index.js

MD5: 359f456996c39e7882afeda8fbbf226f

• en-features-rollout-1.90.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• en-conduit-electron-1.90.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• en-conduit-electron-auth-1.90.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• en-conduit-electron-worker-1.90.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• en-thrift-internal-2.30.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• en-conduit-electron-renderer-1.90.9 index.js

MD5: 0f67856db1e0c466d13079cc9cb16963

• @expue/webpack-0.0.3-alpha.0 index.js

MD5: 084c4c5a1d36fbdab6705a2fbd7e849e

• @expue/core-0.0.3-alpha.0 index.js

MD5: 8b82f6112b22bd67cccc4ad238bfea7c

• @expue/vue3-renderer-0.0.3-alpha.0 index.js

MD5: 084c4c5a1d36fbdab6705a2fbd7e849e

• @fixedwidthtable/fixedwidthtable-0.0.2 index.js

MD5: 084c4c5a1d36fbdab6705a2fbd7e849e

• @virtualsearchtable/virtualsearchtable-0.1.1 index.js

MD5: 37f9d6a97af8d7589bbc11aadcf185ec

• binarium-crm-1.0.0 index.js

MD5: acf9777d3fabc82b49ddb096147de6a9

• binarium-crm-1.0.9 index.js

MD5: acf9777d3fabc82b49ddb096147de6a9

• binarium-crm-1.9.9 index.js

MD5: acf9777d3fabc82b49ddb096147de6a9

• career-service-client-0.1.6 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• career-service-client-0.1.13 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• career-service-client-0.1.15 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• hh-dep-monitoring-0.1.5 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• hh-dep-monitoring-0.1.14 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• orbitplate-1.0.4 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

• orbitplate-1.0.6 index.js

MD5: 3d1dbd501ebaae4745f6ec37850f9ff5

GLOBAL TRENDS:

Kenya – African country Kenya has witnessed an alarming surge in cyberattacks, with a staggering 860 million incidents recorded in the past year, according to the country's communications regulator.  The regulator has expressed concerns over the escalating frequency, sophistication, and scale of these cyber threats, particularly targeting Kenya's critical information infrastructure.

To put this into perspective, back in 2017, Kenya faced 7.7 million cyberattacks, highlighting the significant increase over the past four years.  One notable incident in July saw a high-profile cyberattack attributed to the pro-Russian hacking group Anonymous Sudan.  This attack disrupted access to more than 5,000 online government services in Kenya, affecting crucial functions such as visa, passport, and driver's license applications and renewals. The assault also crippled online train booking systems and mobile money transactions.

The Communications Authority of Kenya revealed that a substantial 79% of these cyber-attacks were a result of criminals infiltrating the computer systems of various organizations.  14% were involved the use of malicious software, 6.5% featured cybercriminals overwhelming servers with traffic to overload their infrastructure, and the rest targeted web applications.  Regrettably, Kenya now ranks as the third most targeted country for cyber criminals in Africa, trailing behind Nigeria and South Africa.  This worrying trend underscores the need for heightened cybersecurity measures to safeguard the nation's critical digital assets.[2]

US - Businesses with government contracts ripe targets for cyber-attacks.  An apparent cyber-attack on a major building automation systems manufacturer is gathering national attention after reports that it may have compromised some data belonging to the Department of Homeland Security.  Why it matters: Government contractors are a ripe target for cyberattacks, and the Biden administration has made it a priority to apply tougher cybersecurity rules to any business working with the government. 

Driving the news: CNN reported Monday that DHS is investigating whether a reported ransomware attack targeting Johnson Controls International affected sensitive physical security information, including building floor plans.[3]  Johnson Controls has not yet determined the full extent of the incident, saying in a statement only that the company is continuing "to assess what information was impacted" and is "executing our incident management and protection plan." 

Details: Johnson Controls has been responding to a reported ransomware attack for at least a week, according to BleepingComputer.  The company manufactures security equipment, industrial control systems, fire safety equipment and other physical security devices.  Customers have included international aerospace manufacturers, universities and medical facilities.

The intrigue: No ransomware gang has claimed responsibility for the reported attack yet — suggesting that if this is a ransomware incident, the company could still be in negotiations over whether to pay a ransom to unlock its systems.

Between the lines: Johnson Controls is far from the first government contractor to face a cyberattack or espionage campaign.

A high-profile espionage campaign in late 2020 that affected at least nine federal agencies and at least 100 companies started with Chinese hackers targeting government contractor SolarWinds.  Another government contractor, Maximus, suffered a breach this year as hackers targeted a vulnerability in the popular file-transfer tool MOVEit.  What they're saying: Johnson Controls hasn't shared any additional details about the incident besides what it told the Securities and Exchange Commission in a brief statement in a public 8-K filing last week. The filing says the company has "experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident."

[1] https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm?lctg=141970831

[2] https://www.msn.com/en-xl/africa/other/kenya-hit-by-record-860m-cyber-attacks-in-a-year/ar-AA1hDe5d

[3] https://www.axios.com/2023/10/03/johnson-controls-contractor-cyberattack